Lesson 24 – TCP/IP – Utilities
Many utilities are available to troubleshoot TCP/IP connectivity problems. Most utilities
are public domain and are included with the TCP/IP protocol stack provided with the
operating system. This also means that they vary slightly depending upon the
implementation of these programs by the vendor. Although these utilities generally
provide very basic functions, a proper understanding of the usage of these tools will
enable you to effectively troubleshoot most problems.
The most commonly used TCP/IP troubleshooting tools are discussed in this lesson. The
final section identifies common problems and how the different tools can be used to
troubleshoot and resolve these problems. The following list provides a brief description
of each utility discussed in this lesson and its core functions.
Arp Displays and modifies local ARP cache
Telnet Remote Terminal Emulation, administration, and troubleshooting
NBTSTAT Checks the state of NetBIOS over TCP/IP connections
Tracert Traces and reports on the route to a remote computer
Netstat Displays statistics for current TCP/IP connections
IPCONFIG Displays current IP configuration information
Ftp Enables file transfers between remote computers
Ping Verifies host name, host IP address, and physical connectivity to a
remote TCP/IP computer
Network interface cards (NICs) each have a hardware address or MAC address associated
with them. Applications understand TCP/IP addressing, but network hardware devices,
such as NICs, do not. For example, when two Ethernet cards are communicating, they
have no knowledge of the IP address being used. Instead, they use the MAC addresses
assigned to each card to address data frames. The Address Resolution Protocol (ARP)
was designed to provide a mapping from the logical 32-bit TCP/IP addresses to the
physical 48-bit MAC addresses.
Address resolution is the process of finding the address of a host within a network. In this
case, the address is resolved by using a protocol to request information via a form of
broadcast to locate a remote host. The remote host receives the packet and forwards it
with the appropriate address information included. The address resolution process is
complete once the original computer has received the address information.
ARP maintains the protocol rules for making this translation and providing address
conversion in both directions within the OSI layers, as illustrated in Figure below. This
utility is used to display and modify entries within the ARP table.
Remember that ARP translates IP addresses into MAC addresses. The Reverse Address
Resolution Protocol, or RARP is used to find a TCP/IP address from a MAC address.
The logical data flow for the Address Resolution Protocol
How ARP Works
When a data packet destined for a computer on a particular local area network arrives at a
host or gateway, the ARP protocol is tasked to find a MAC address that matches the IP
address for the destination computer. The ARP protocol then looks inside its cache table
for the appropriate address. If the address is found, the destination address is then added
in the date packet and forwarded on. If no entry exists for the IP address, ARP broadcasts
a request packet to all the machines on the local area network to determine which
machine maintains that IP address. If found, the host with that IP address will send an
ARP reply with its own MAC address. If the destination is on a remote subnet, the
address of the router or gateway used to reach that subnet is placed in the packet and
forwarded on. If the ARP cache does not contain an IP address for the router or gateway,
it will use the same methods to resolve the address. The ARP cache is then updated for
future reference and the original data packets are then forwarded to the correct host.
As protocols go, ARP provides a very basic function. Only four types of messages can be
sent out by the ARP protocol on any machine:
To reduce the number of address resolution requests, thereby minimizing network
utilization, a client caches resolved addresses for a short time. This table, known as the
ARP cache, is used to maintain the mappings between each MAC address and its
corresponding IP address locally. This is the most important part of this protocol. Since
the size of the ARP cache is limited, entries need to be cleaned out periodically. Without
purging entries from the cache, it could continually grow to become huge in size and
could contain quite a few obsolete entries. Therefore, ARP cache entries are removed at
predefined intervals. This process also removes any unsuccessful attempts to contact
computers which are not currently running.
Entries in the ARP cache can be viewed, added, or deleted by using the ARP utility.
Entries that are added with this utility manually are static and will not age out of the
cache like the dynamic entries. This can be helpful when trying to resolve address
resolution problems. By displaying the current cache, you can determine whether a
remote host MAC address is being resolved correctly.
Type the following command and press Enter to view the ARP cache:
Figure below shows an example of an ARP cache.
Customizing the ARP Cache
Additional options are available to customize the information found in the ARP cache.
For example, you can filter the entries displayed when you list them with ARP. By
appending the appropriate IP address after the –a switch, the table will list entries only for
that particular IP address, as shown below. This can be useful when trying to isolate
specific entries in a large table.
Type the following command and press Enter to view the ARP cache for a specific IP
ARP –a <IP address>
Computers that contain multiple NICs, or multi-homed computers have more than one
network interface listed. The ARP cache maintains addresses for each interface within its
tables. By using the ARP –a option, all interfaces will be listed. To filter the display
address listing based upon a specific interface, use the –n option. This enables you to
specify which interface to display addresses for, as shown in figure.
Type the following command and press Enter to view the ARP cache for a specific
ARP –a –n <interface>
Adding Static Entries
Static entries can be added manually when necessary. This can be especially helpful
when you have a computer that transfers large amounts of data to a remote host
continually. By adding a static entry for the remote host into the computer’s ARP cache
table, updates do not need to constantly occur. This option can also be used to test
whether the local computer is receiving updates correctly.
Suppose that you are trying to connect to another computer on the same network. You are
unable to find the remote computer; however, the other machines around you seem to
work fine. First, display the local ARP cache to determine if the remote host has an entry
present. If not, you can add a static entry into the ARP cache to allow you to determine
whether the computer is properly receiving updates. With the entry in place, you notice
that you can locate the remote computer now. It is safe to say that the cache did not get
updated correctly with the appropriate MAC address and by adding a static entry, this
bypassed that problem.
You can manually add entries by using the following command:
ARP –s <IP address> <MAC address>
Deleting Static Entries
You may need to delete any entries you have manually added. You also may need to
manually remove any entries that have been dynamically added to the ARP cache. Use
the following command to delete entries from the ARP cache:
ARP –d <IP Address>
ARP Cache Aging
Unlike static addresses, which never age out, dynamic addresses remain for only a
predetermined amount of time. Windows NT adjusts the size of the ARP cache
automatically. Entries not used after two minutes are removed. If entries are in use, they
remain for ten minutes before they are removed. A registry parameter within Windows
NT is also available to allow for more control over the aging parameters. The registry
parameter is located in the following directory:
A little-known protocol exists to facilitate the reverse function of ARP. Reverse Address
Resolution Protocol (RARP) enables a machine to learn its own IP address by
broadcasting to resolve its own MAC address. A RARP server containing these mappings
can respond with the IP address for the requesting host. In most cases, a machine knows
its own IP address; therefore RARP is primarily used for situations such as diskless
workstations, or machines without hard disks. Dumb terminals and NetPCs are good
examples of diskless workstations.
Troubleshooting Duplicate IP Address Problems
During system startup and as the IP protocol initializes, an ARP request is broadcast
containing its own MAC and IP addresses. This is done so that other computers can
update their ARP caches with this information. If a computer already has this IP address,
it will respond with an ARP reply containing its own MAC and IP address, indicating a
conflict. Other computers will have already updated their own ARP caches, though. By
having two computers with the same IP address, you can potentially cause problems with
many different computers.
In the event a duplicate address is found, the Windows NT 4.0 Service Pack 3 TCP/IP
stack is written to send out a new ARP broadcast to re-map the ARP cache on all affected
computers. The MAC and IP addresses of the original computer will be contained within
this new ARP. Once this ARP has been broadcast, the TCP/IP protocol stack will shut
down and the computer will log the address conflict.
Although ARP is simple compared to most other protocols, it is just as important to
TCP/IP for proper functionality. The utility included with this protocol will enable you to
display and modify the ARP cache as needed. This enables you to effectively
troubleshoot any issues that may arise with ARP.
1. What is the purpose of TCP/IP utilities?
2. What is ARP/
3. What is ARP used for?
4. How many bits are in an IP address?
5. How many bits are in a MAC address?
6. What are the four types of messages sent out by ARP?
7. What is ARP cache?
8. What is the purpose of ARP –a <IP address> command
9. What command will display the cache for a specific network card?
10. How do you delete a cache entry?
11. What is cache aging?